When creating a new CA with a customer certificate profile which restricts the key length to a specific size, this restriction is completely ignored. I.e. if the key length in the profile was set to only 4096, if the user provides a key of length 2048, EJBCA will still issue a certificate.
The bug happens when using the "CA Functions" -> "Certification Authorities" -> "Add CA", just to emphasize (I don't think end entity sub CAs are getting affected).
1. Create new certificate profile, based on "ROOTCA", calling it "TestRootCA".
2. Edit the "TestRootCA" certificate profile, setting the available key lengths to "4096".
3. Create a crypto token called "TestRootCA" (soft token will do).
4. Create signing RSA key, length 2048, in crypto token TestRootCA with named "signKey", 1024 RSA key named "testKey", and 2048 RSA key named "defaultKey".
5. Create a new CA, using the "TestRootCA" certificate profile and crypto token "TestRootCA" (signKey as signing key, defaultKey as default key, and testKey as test key).
1. An error is shown to the user, stating that the key length for signing key used for CA does not comply with certificate profile restrictions.
2. CA is not created.
1. CA is created.
2. Resulting CA has a self-signed certificate with 2048 public key.
The default software token that gets created will sport 2048 RSA keys too, as a side-note. I have also been able to renew these root CAs with differing key sizes (compared to what is specified in profile).
In a way, the certificate profile should serve as a bit of a parachute in case an operator creates wrong key size, and this behaviour eliminates this useful restriction. That is why I have set the bug to critical (i.e. don't need it immediately, but it's a bit of an ugly bug).